Laravel duplicates X-Content-Type-Options header
johnboc opened this issue · 6 comments
I am using secure-headers in a Laravel project and get an A when scanning the site using securityheaders.io. I do get the followign two warnings:
X-Frame-Options There was a duplicate X-Frame-Options header.
X-Content-Type-Options There was a duplicate X-Content-Type-Options header.
Laravel is adding the duplicates from Illuminate\Http\Middleware\FrameGuard.php. Is there a way to prevent this occurring?
Thanks
Did you add Illuminate\Http\Middleware\FrameGuard.php
to your app/Http/Kernel.php
?
I couldn't find anywhere that laravel adds this middleware to middlewares.
No. I've searched all php files in the Laravel project for 'X-Frame-Options' with these results:
\config\secure-headers.php
- X-Frame-Options
- Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
'x-frame-options' => 'sameorigin',
\vendor\bepsvpt\secure-headers\config\secure-headers.php
- X-Frame-Options
- Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
'x-frame-options' => 'sameorigin',
\vendor\bepsvpt\secure-headers\src\SecureHeaders.php
'X-Frame-Options' => $this->config['x-frame-options'],
'X-Frame-Options' => $this->config['x-frame-options'],
\vendor\bepsvpt\secure-headers\tests\MiddlewareTest.php
$this->assertArrayHasKey('x-frame-options', $headers);
\vendor\bepsvpt\secure-headers\tests\SecureHeadersTest.php
$this->assertArrayHasKey('X-Frame-Options', $headers);
\vendor\laravel\framework\src\Illuminate\Http\Middleware\FrameGuard.php
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
FrameGuard is referenced in the following files only:
\vendor\composer\autoload_classmap.php
'Illuminate\Http\Middleware\FrameGuard' => $vendorDir . '/laravel/framework/src/Illuminate/Http/Middleware/FrameGuard.php',
'Illuminate\Http\Middleware\FrameGuard' => $vendorDir . '/laravel/framework/src/Illuminate/Http/Middleware/FrameGuard.php',
\vendor\composer\autoload_static.php
'Illuminate\Http\Middleware\FrameGuard' => DIR . '/..' . '/laravel/framework/src/Illuminate/Http/Middleware/FrameGuard.php',
'Illuminate\Http\Middleware\FrameGuard' => DIR . '/..' . '/laravel/framework/src/Illuminate/Http/Middleware/FrameGuard.php',
\vendor\laravel\framework\src\Illuminate\Http\Middleware\FrameGuard.php
class FrameGuard
The headers generated by Laravel are listed after those by secure-headers in the securityheaders.io report
Did you set these two headers in web server config file, like nginx or apache?
Why didn't I think of that!!!! A colleague set up the nginx server so a left hand right hand problem.
Thank you
FYI, if you want to disable these two headers, just set to null
or empty string.
If you have any further question, feel free to open a new issue or reply in this issue. 😄